% Copyright 2018 Google LLC
%
% Use of this source code is governed by an MIT-style
% license that can be found in the LICENSE file or at
% https://opensource.org/licenses/MIT.

@inproceedings{poly1305
,    url={https://cr.yp.to/papers.html#poly1305}
,    author={Daniel J. Bernstein}
,    crossref={2005-gilbert-fse2005}
,    ID={0018d9551b5546d97c340e0dd8cb5750}
,    pages={32--49}
,    title={{The Poly1305-AES message-authentication code}}
,    year={2005}
}

@book{2005-gilbert-fse2005
,    title={Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 21--23, 2005, revised selected papers}
,    booktitle={Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 21--23, 2005, revised selected papers}
,    editor={Henri Gilbert and Helena Handschuh}
,    ISBN={3--540--26541--4}
,    publisher={Springer}
,    series={Lecture Notes in Computer Science}
,    volume={3557}
,    year={2005}
}

@inproceedings{chacha
,    url={https://cr.yp.to/papers.html#chacha}
,    author = {Daniel J. Bernstein}
,    year = {2008}
,    month = jan
,    title = {ChaCha, a variant of Salsa20}
,    booktitle = {State of the Art of Stream Ciphers Workshop, {SASC} 2008, Lausanne, Switzerland}
}

@techreport{RFC7539
,    author = {Yoav Nir and Adam Langley}
,    title = {ChaCha20 and Poly1305 for IETF Protocols}
,    howpublished = {Internet Requests for Comments}
,    type = {RFC}
,    number = {7539}
,    year = {2015}
,    month = may
,    issn = {2070-1721}
,    publisher = {RFC Editor}
,    institution = {RFC Editor}
,    url = {https://www.rfc-editor.org/rfc/rfc7539.txt}
}

@ARTICLE{hch
,    author={Debrup Chakraborty and Palash Sarkar}
,    journal={IEEE Transactions on Information Theory}
,    title={HCH: A New Tweakable Enciphering Scheme Using the Hash-Counter-Hash Approach}
,    year={2008}
,    volume={54}
,    number={4}
,    pages={1683-1699}
,    keywords={cryptography;disc storage;block cipher;disk encryption;hash-counter-hash approach;tweakable enciphering scheme;Authentication;Building materials;Computer science;Counting circuits;Cryptography;Information security;Material storage;NIST;Proposals;Secure storage;Disk encryption;modes of operations;strong pseudorandom permutation;tweakable encryption}
,    doi={10.1109/TIT.2008.917623}
,    ISSN={0018-9448}
,    month = apr
,    url={https://ia.cr/2007/028}
}

@Inbook{cmc
,    author="Halevi, Shai
and Rogaway, Phillip"
,    editor="Boneh, Dan"
,    title="A Tweakable Enciphering Mode"
,    bookTitle="Advances in Cryptology - CRYPTO 2003: 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 2003. Proceedings"
,    year="2003"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="482--499"
,    abstract="We describe a block-cipher mode of operation, CMC, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m{\thinspace}≥{\thinspace}2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in the sense of tweakable, strong PRP. Such an object can be used to encipher the sectors of a disk, in-place, offering security as good as can be obtained in this setting. CMC makes a pass of CBC encryption, xors in a mask, and then makes a pass of CBC decryption; no universal hashing, nor any other non-trivial operation beyond the block-cipher calls, is employed. Besides proving the security of CMC we initiate a more general investigation of tweakable enciphering schemes, considering issues like the non-malleability of these objects."
,    isbn="978-3-540-45146-4"
,    doi="10.1007/978-3-540-45146-4_28"
,    url = {https://ia.cr/2003/148}
}

@Inbook{eme
,    author="Halevi, Shai
and Rogaway, Phillip"
,    editor="Okamoto, Tatsuaki"
,    title="A Parallelizable Enciphering Mode"
,    bookTitle="Topics in Cryptology -- CT-RSA 2004: The Cryptographers' Track at the RSA Conference 2004, San Francisco, CA, USA, February 23-27, 2004, Proceedings"
,    year="2004"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="292--304"
,    abstract="We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m$\epsilon$[1..n]. The mode is parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption and a ``lightweight mixing'' in between. We prove EME secure, in the reduction-based sense of modern cryptography. We motivate some of the design choices in EME by showing that a few simple modifications of this mode are insecure."
,    isbn="978-3-540-24660-2"
,    doi="10.1007/978-3-540-24660-2_23"
,    url = {https://ia.cr/2003/147}
}

@Inbook{emestar
,    author="Halevi, Shai"
,    editor="Canteaut, Anne
and Viswanathan, Kapaleeswaran"
,    title="EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data"
,    bookTitle="Progress in Cryptology - INDOCRYPT 2004: 5th International Conference on Cryptology in India, Chennai, India, December 20-22, 2004. Proceedings"
,    year="2005"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="315--327"
,    abstract="This work describes a mode of operation, EME*, that turns a regular block cipher into a length-preserving enciphering scheme for messages of (almost) arbitrary length. Specifically, the resulting scheme can handle any bit-length, not shorter than the block size of the underlying cipher, and it also handles associated data of arbitrary bit-length. Such a scheme can either be used directly in applications that need encryption but cannot afford length expansion, or serve as a convenient building block for higher-level modes."
,    isbn="978-3-540-30556-9"
,    doi="10.1007/978-3-540-30556-9_25"
,    url = {https://ia.cr/2004/125}
}

@Inbook{pep
,    author="Chakraborty, Debrup
and Sarkar, Palash"
,    editor="Robshaw, Matthew"
,    title="A New Mode of Encryption Providing a Tweakable Strong Pseudo-random Permutation"
,    bookTitle="Fast Software Encryption: 13th International Workshop, Graz, Austria, March 15--17, 2006, Revised Selected Papers"
,    year="2006"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="293--309"
,    abstract="We present PEP, which is a new construction of a tweakable strong pseudo-random permutation. PEP uses a hash-encrypt-hash approach which has been recently used in the construction of HCTR. This approach is different from the encrypt-mask-encrypt approach of constructions such as CMC, EME and EME*. The general hash-encrypt-hash approach was earlier used by Naor-Reingold to provide a generic construction technique for an SPRP (but not a tweakable SPRP). PEP can be seen as the development of the Naor-Reingold approach into a fully specified mode of operation with a concrete security reduction for a tweakable strong pseudo-random permutation. HCTR is also based on the Naor-Reingold approach but its security bound is weaker than PEP. Compared to previous known constructions, PEP is the only known construction of tweakable SPRP which uses a single key, is efficiently parallelizable and can handle an arbitrary number of blocks."
,    isbn="978-3-540-36598-3"
,    doi="10.1007/11799313_19"
,    url = {https://ia.cr/2006/275}
}

@Inbook{tet
,    author="Halevi, Shai"
,    editor="Menezes, Alfred"
,    title="Invertible Universal Hashing and the TET Encryption Mode"
,    bookTitle="Advances in Cryptology - CRYPTO 2007: 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007. Proceedings"
,    year="2007"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="412--429"
,    abstract="This work describes a mode of operation, TET, that turns a regular block cipher into a length-preserving enciphering scheme for messages of (almost) arbitrary length. When using an n-bit block cipher, the resulting scheme can handle input of any bit-length between n and 2                  n                 and associated data of arbitrary length."
,    isbn="978-3-540-74143-5"
,    doi="10.1007/978-3-540-74143-5_23"
,    url="https://ia.cr/2007/014"
}

@Inbook{heh
,    author="Sarkar, Palash"
,    editor="Nam, Kil-Hyun
and Rhee, Gwangsoo"
,    title="Improving Upon the TET Mode of Operation"
,    bookTitle="Information Security and Cryptology---ICISC 2007: 10th International Conference, Seoul, Korea, November 29--30, 2007. Proceedings"
,    year="2007"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="180--192"
,    abstract="Naor and Reingold had proposed the construction of a strong pseudo-random permutation (SPRP) by using a layer of ECB encryption between two layers of invertible block-wise universal hash functions. At Crypto 2007, Halevi presented constructions of invertible block-wise universal hash functions and a new mode of operation (called TET) based on them. In this paper, we present a new mode of operation called HEH using the Naor-Reingold approach. This is built using a new construction of invertible block-wise universal hash function. The new construction improves over Halevi's construction by removing restrictions on the hashing key. This in turn, leads to HEH improving over TET by allowing more efficient encryption and decryption of variable length messages as well as supporting better key agility. For the important application of disk encryption, we present a variant called HEHfp which has better key agility than TET."
,    isbn="978-3-540-76788-6"
,    doi="10.1007/978-3-540-76788-6_15"
,    url="https://ia.cr/2007/317"
}

@misc{hmc
,    author = {Mridul Nandi}
,    title = {Improving upon HCTR and matching attacks for Hash-Counter-Hash approach}
,    howpublished = {Cryptology ePrint Archive, Report 2008/090}
,    year = {2008}
,    url = {https://ia.cr/2008/090}
}

@Inbook{xcb
,    author="McGrew, David A.
and Fluhrer, Scott R."
,    editor="Adams, Carlisle
and Miri, Ali
and Wiener, Michael"
,    title="The Security of the Extended Codebook (XCB) Mode of Operation"
,    bookTitle="Selected Areas in Cryptography: 14th International Workshop, SAC 2007, Ottawa, Canada, August 16-17, 2007, Revised Selected Papers"
,    year="2007"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="311--327"
,    abstract="The XCB mode of operation was outlined in 2004 as a contribution to the IEEE Security in Storage effort, but no security analysis was provided. In this paper, we provide a proof of security for XCB, and show that it is a secure tweakable (super) pseudorandom permutation. Our analysis makes several new contributions: it uses an algebraic property of XCB's internal universal hash function to simplify the proof, and it defines a nonce mode in which XCB can be securely used even when the plaintext is shorter than twice the width of the underlying block cipher. We also show minor modifications that improve the performance of XCB and make it easier to analyze. XCB is interesting because it is highly efficient in both hardware and software, it has no alignment restrictions on input lengths, it can be used in nonce mode, and it uses the internal functions of the Galois/Counter Mode (GCM) of operation, which facilitates design re-use and admits multi-purpose implementations."
,    isbn="978-3-540-77360-3"
,    doi="10.1007/978-3-540-77360-3_20"
,    url="https://ia.cr/2007/298"
}

@Inbook{hctr
,    author="Wang, Peng
and Feng, Dengguo
and Wu, Wenling"
,    editor="Feng, Dengguo
and Lin, Dongdai
and Yung, Moti"
,    title="HCTR: A Variable-Input-Length Enciphering Mode"
,    bookTitle="Information Security and Cryptology: First SKLOIS Conference, CISC 2005, Beijing, China, December 15-17, 2005. Proceedings"
,    year="2005"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="175--188"
,    abstract="This paper proposes a blockcipher mode of operation, HCTR, which is a length-preserving encryption mode. HCTR turns an n-bit blockcipher into a tweakable blockcipher that supports arbitrary variable input length which is no less than n bits. The tweak length of HCTR is fixed and can be zero. We prove that HCTR is a strong tweakable pseudorandom permutation (                                                                           {\$}{\backslash}widetilde{\{}sprp{\}}{\$}                ), when the underlying blockcipher is a strong pseudorandom permutation (sprp). HCTR is shown to be a very efficient mode of operation when some pre-computations are taken into consideration. Arbitrary variable input length brings much flexibility in various application environments. HCTR can be used in disk sector encryption, and other length-preserving encryptions, especially for the message that is not multiple of n bits."
,    isbn="978-3-540-32424-9"
,    doi="10.1007/11599548_15"
,    url="https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.470.5288"
}

@inproceedings{xsalsa
,    url={https://cr.yp.to/papers.html#xsalsa}
,    author={Daniel J. Bernstein}
,    ID={c4b172305ff16e1429a48d9434d50e8a}
,    title={Extending the Salsa20 nonce}
,    booktitle = {Workshop Record of Symmetric Key Encryption Workshop 2011}
,    year={2011}
}

@online{supercop
,    title = {eBACS: ECRYPT Benchmarking of Cryptographic Systems}
,    editor = {Daniel J. Bernstein and Tanja Lange}
,    year = 2018
,    url = {https://bench.cr.yp.to/}
,    urldate = {2018-11-25}
}

@online{monocypher
,    title = {monocypher.c}
,    author={Loup Vaillant}
,    year = 2018
,    url = {https://github.com/LoupVaillant/Monocypher/blob/2174e60e/src/monocypher.c}
,    urldate = {2018-11-23}
}

@online{libsodiumxchacha
,    title = {XChaCha20}
,    author={Frank Denis}
,    organization={libsodium}
,    year = 2018
,    url = {https://download.libsodium.org/doc/advanced/stream_ciphers/xchacha20}
,    urldate = {2018-11-23}
}

@Inbook{mercy
,    author="Crowley, Paul"
,    editor="Goos, Gerhard
and Hartmanis, Juris
and van Leeuwen, Jan
and Schneier, Bruce"
,    title="Mercy: A Fast Large Block Cipher for Disk Sector Encryption"
,    bookTitle="Fast Software Encryption: 7th International Workshop, New York, NY, USA, April 10--12, 2000 Proceedings"
,    year="2001"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="49--63"
,    abstract="We discuss the special requirements imposed on the underlying cipher of systems which encrypt each sector of a disk partition independently, and demonstrate a certificational weakness in some existing block ciphers including Bellare and Rogaway's 1999 proposal, proposing a new quantitative measure of avalanche. To address these needs, we present Mercy, a new block cipher accepting large (4096-bit) blocks, which uses a key-dependent state machine to build a bijective F function for a Feistel cipher. Mercy achieves 9 cycles/byte on a Pentium compatible processor."
,    isbn="978-3-540-44706-1"
,    doi="10.1007/3-540-44706-7_4"
,    url="http://www.ciphergoth.org/crypto/mercy/"
}

@Inbook{bearlion
,    author="Anderson, Ross
and Biham, Eli"
,    editor="Gollmann, Dieter"
,    title="Two practical and provably secure block ciphers: BEAR and LION"
,    bookTitle="Fast Software Encryption: Third International Workshop, Cambridge, UK, February 21--23 1996 Proceedings"
,    year="1996"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="113--120"
,    abstract="In this paper we suggest two new provably secure block ciphers, called BEAR and LION. They both have large block sizes, and are based on the Luby-Rackoff construction. Their underlying components are a hash function and a stream cipher, and they are provably secure in the sense that attacks which find their keys would yield attacks on one or both of the underlying components. They also have the potential to be much faster than existing block ciphers in many applications."
,    isbn="978-3-540-49652-6"
,    doi="10.1007/3-540-60865-6_48"
,    url="https://www.cl.cam.ac.uk/~rja14/Papers/bear-lion.pdf"
}

@INPROCEEDINGS{mercycryptanalysis
,    author = {Scott R. Fluhrer}
,    title = {Cryptanalysis of the Mercy Block Cipher}
,    booktitle = {Proc. Fast Software Encryption 2001, LNCS 2355}
,    year = {2002}
,    pages = {28--36}
,    publisher = {Springer-Verlag}
,    url={https://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.5.6494}
}

@article{luby-rackoff
,    author = {Luby, Michael and Rackoff, Charles}
,    title = {How to Construct Pseudorandom Permutations from Pseudorandom Functions}
,    journal = {SIAM J. Comput.}
,    issue_date = {April 1988}
,    volume = {17}
,    number = {2}
,    month = apr
,    year = {1988}
,    issn = {0097-5397}
,    pages = {373--386}
,    numpages = {14}
,    doi = {10.1137/0217022}
,    acmid = {45485}
,    publisher = {Society for Industrial and Applied Mathematics}
,    address = {Philadelphia, PA, USA}
,    url={https://github.com/emintham/Papers/blob/master/Luby%2CRackoff-%20How%20to%20Construct%20Pseudorandom%20Permutations%20from%20Pseudorandom%20Functions.pdf}
}

@inproceedings{maurer-luby-rackoff
,    author = {Maurer, Ueli M.}
,    title = {A Simplified and Generalized Treatment of Luby-Rackoff Pseudorandom Permutation Generators}
,    booktitle = {Proceedings of the 11th Annual International Conference on Theory and Application of Cryptographic Techniques}
,    series = {EUROCRYPT'92}
,    year = {1993}
,    isbn = {3-540-56413-6}
,    location = {Balatonfüred, Hungary}
,    pages = {239--255}
,    numpages = {17}
,    url = {https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.53.6117}
,    acmid = {1754978}
,    publisher = {Springer-Verlag}
,    address = {Berlin, Heidelberg}
,    keywords = {Luby-Rackoff permutation generator, locally random function, pseudorandom function, pseudorandom permutation}
}

@Inbook{brvil
,    author="Bellare, Mihir
and Rogaway, Phillip"
,    editor="Knudsen, Lars"
,    title="On the Construction of Variable-Input-Length Ciphers"
,    bookTitle="Fast Software Encryption: 6th International Workshop, Rome, Italy, March 24--26, 1999 Proceedings"
,    year="1999"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="231--244"
,    abstract="Whereas a block cipher enciphers messages of some one particular length (the blocklength), a variable-input-length cipher takes messages of varying (and preferably arbitrary) lengths. Still, the length of the ciphertext must equal the length of the plaintext. This paper introduces the problem of constructing such objects, and provides a practical solution. Our VIL mode of operation makes a variable-input-length cipher from any block cipher. The method is demonstrably secure in the provable-security sense of modern cryptography: we give a quantitative security analysis relating the difficulty of breaking the constructed (variable-input-length) cipher to the difficulty of breaking the underlying block cipher."
,    isbn="978-3-540-48519-3"
,    doi="10.1007/3-540-48519-8_17"
,    url="https://cseweb.ucsd.edu/~mihir/papers/lpe.pdf"
}

@Inbook{beast
,    author="Lucks, Stefan"
,    editor="Horster, Patrick"
,    title="BEAST: A fast block cipher for arbitrary blocksizes"
,    bookTitle="Communications and Multimedia Security II: Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security at Essen, Germany, 23rd--24th September 1996"
,    year="1996"
,    publisher="Springer US"
,    address="Boston, MA"
,    pages="144--153"
,    abstract="This paper describes BEAST, a new blockcipher for arbitrary size blocks. It is a Luby-Rackoff cipher and fast when the blocks are large. BEAST is assembled from cryptographic hash functions and stream ciphers. It is provably secure if these building blocks are secure."
,    isbn="978-0-387-35083-7"
,    doi="10.1007/978-0-387-35083-7_13"
,    url="https://pdfs.semanticscholar.org/18fd/ac6eddb22687450c22e1135dc2d9c38c40d1.pdf"
}

@Inbook{tweakable
,    author="Liskov, Moses
and Rivest, Ronald L.
and Wagner, David"
,    editor="Yung, Moti"
,    title="Tweakable Block Ciphers"
,    bookTitle="Advances in Cryptology---CRYPTO 2002: 22nd Annual International Cryptology Conference Santa Barbara, California, USA, August 18--22, 2002 Proceedings"
,    year="2002"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="31--46"
,    abstract="We propose a new cryptographic primitive, the ``tweakable block cipher.'' Such a cipher has not only the usual inputs --- message and cryptographic key --- but also a third input, the ``tweak.'' The tweak serves much the same purpose that an initialization vector does for CBC mode or that a nonce does for OCB mode. Our proposal thus brings this feature down to the primitive block-cipher level, instead of incorporating it only at the higher modes-of-operation levels. We suggest that (1) tweakable block ciphers are easy to design, (2) the extra cost of making a block cipher ``tweakable'' is small, and (3) it is easier to design and prove modes of operation based on tweakable block ciphers."
,    isbn="978-3-540-45708-4"
,    doi="10.1007/3-540-45708-9_3"
,    url="https://people.csail.mit.edu/rivest/pubs/LRW02.pdf"
}

@misc{games
,    author = {Victor Shoup}
,    title = {Sequences of games: a tool for taming complexity in security proofs}
,    howpublished = {Cryptology ePrint Archive, Report 2004/332}
,    year = {2004}
,    url = {https://ia.cr/2004/332}
}

@Article{NaorReingold
,    author="Naor, Moni
and Reingold, Omer"
,    title="On the Construction of Pseudorandom Permutations: Luby--Rackoff Revisited "
,    journal="Journal of Cryptology"
,    year="1999"
,    month = jan
,    day="01"
,    volume="12"
,    number="1"
,    pages="29--66"
,    abstract="Luby and Rackoff [26] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so-called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewhat the complexity of the construction and simplify its proof of security by showing that two Feistel permutations are sufficient together with initial and final pairwise independent permutations. The revised construction and proof provide a framework in which similar constructions may be brought up and their security can be easily proved. We demonstrate this by presenting some additional adjustments of the construction that achieve the following:"
,    issn="1432-1378"
,    doi="10.1007/PL00003817"
,    url="https://omereingold.files.wordpress.com/2014/10/lr.pdf"
}

@online{hpc
,    author={Rich Schroeppel}
,    title={Hasty Pudding Cipher Specification}
,    year={1998}
,    url={http://richard.schroeppel.name/hpc/hpc-spec}
,    urldate = {2018-05-21}
}

@Inbook{salsa20
,    author="Bernstein, Daniel J."
,    editor="Robshaw, Matthew
and Billet, Olivier"
,    title="The Salsa20 Family of Stream Ciphers"
,    bookTitle="New Stream Cipher Designs: The eSTREAM Finalists"
,    year="2008"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="84--97"
,    abstract="Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project. Salsa20 has progressed to the third round of eSTREAM without any changes. The 20-round stream cipher Salsa20/20 is consistently faster than AES and is recommended by the designer for typical cryptographic applications. The reduced-round ciphers Salsa20/12 and Salsa20/8 are among the fastest 256-bit stream ciphers available and are recommended for applications where speed is more important than confidence. The fastest known attacks use ≈{\thinspace}2153 simple operations against Salsa20/7, ≈{\thinspace}2249 simple operations against Salsa20/8, and ≈{\thinspace}2255 simple operations against Salsa20/9, Salsa20/10, etc. In this paper, the Salsa20 designer presents Salsa20 and discusses the decisions made in the Salsa20 design."
,    isbn="978-3-540-68351-3"
,    doi="10.1007/978-3-540-68351-3_8"
,    url="https://cr.yp.to/papers.html#salsafamily"
}

@misc{salsa812
,    author="Bernstein, Daniel J."
,    title={Salsa20/8 and Salsa20/12}
,    year={2006}
,    url={https://cr.yp.to/snuffle/812.pdf}
,    urldate = {2018-05-21}
}

@manual{AES
,    author       = {{National Institute of Standards and Technology}}
,    shortauthor  = {NIST}
,    title        = {Advanced Encryption Standard ({AES})}
,    edition      = {}
,    address      = {{FIPS} Publication 197}
,    month        = nov
,    year         = {2001}
,    url         = {https://csrc.nist.gov/csrc/media/publications/fips/197/final/documents/fips-197.pdf}
}

@misc{speck1
,    author = {Ray Beaulieu and Douglas Shors and Jason Smith and Stefan Treatman-Clark and Bryan Weeks and Louis Wingers}
,    title = {The SIMON and SPECK Families of Lightweight Block Ciphers}
,    howpublished = {Cryptology ePrint Archive, Report 2013/404}
,    year = {2013}
,    url = {https://ia.cr/2013/404}
}

@misc{speck2
,    author = {Ray Beaulieu and Douglas Shors and Jason Smith and Stefan Treatman-Clark and Bryan Weeks and Louis Wingers}
,    title = {SIMON and SPECK: Block Ciphers for the Internet of Things}
,    howpublished = {Cryptology ePrint Archive, Report 2015/585}
,    year = {2015}
,    url = {https://ia.cr/2015/585}
}

@misc{speck3
,    author = {Ray Beaulieu and Douglas Shors and Jason Smith and Stefan Treatman-Clark and Bryan Weeks and Louis Wingers}
,    title = {Notes on the design and analysis of SIMON and  SPECK}
,    howpublished = {Cryptology ePrint Archive, Report 2017/560}
,    year = {2017}
,    url = {https://ia.cr/2017/560}
}

@online{poly1305clamp
,    title = {poly1305aes\_test\_clamp.c}
,    author={Daniel J. Bernstein}
,    year = 2005
,    url = {https://cr.yp.to/mac/poly1305aes_test_clamp.c}
,    urldate = {2018-05-31}
}

@InProceedings{hctr2
,    author="Chakraborty, Debrup and Nandi, Mridul"
,    editor="Nyberg, Kaisa"
,    title="An Improved Security Bound for HCTR"
,    booktitle="Fast Software Encryption"
,    year="2008"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="289--302"
,    abstract={HCTR was proposed by Wang, Feng and Wu in 2005. It is a mode of operation which provides a tweakable strong pseudorandom permutation. Though HCTR is quite an efficient mode, the authors showed a cubic security bound for HCTR which makes it unsuitable for applications where tweakable strong pseudorandom permutations are required. In this paper we show that HCTR has a better security bound than what the authors showed. We prove that the distinguishing advantage of an adversary in distinguishing HCTR and its inverse from a random permutation and its inverse is bounded above by $4.5\sigma^2/2^n$, where n is the block-length of the block-cipher and $\sigma$ is the number of n-block queries made by the adversary (including the tweak).}
,    isbn="978-3-540-71039-4"
,    doi="10.1007/978-3-540-71039-4_18"
,    url="https://www.iacr.org/cryptodb/archive/2008/FSE/paper/15611.pdf"
}

@InProceedings{ppdes
,    author="Patarin, Jacques"
,    editor="Cohen, G{\'e}rard
and Charpin, Pascale"
,    title="Pseudorandom permutations based on the D.E.S. scheme"
,    booktitle="EUROCODE '90"
,    year="1991"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="193--204"
,    abstract={We present in a new way the results of Michael Luby and Charles Rackoff ``How to construct pseudorandom permutations from pseudorandom functions'', SIAM J. Comput., 1988, together with some new results thereon.}
,    isbn="978-3-540-47546-0"
,    doi="10.1007/3-540-54303-1_131"
}

@InProceedings{fasterlr
,    author="Lucks, Stefan"
,    editor="Gollmann, Dieter"
,    title="Faster Luby-Rackoff ciphers"
,    booktitle="Fast Software Encryption"
,    year="1996"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="189--203"
,    abstract="This paper deals with a generalization of Luby's and Rackoff's results [9] on the construction of block ciphers and their consequences for block cipher implementations. Based on dedicated hash functions, block ciphers are proposed which are more efficient and operate on larger blocks than their original Luby-Rackoff counterparts."
,    isbn="978-3-540-49652-6"
,    doi="10.1007/3-540-60865-6_53"
,    url="https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.35.7485"
}

@misc{sarkar1
,    author = {Palash Sarkar}
,    title = {Tweakable Enciphering Schemes From Stream Ciphers With IV}
,    howpublished = {Cryptology ePrint Archive, Report 2009/321}
,    year = {2009}
,    url = {https://ia.cr/2009/321}
}

@article{sarkar2
,    title = "Tweakable enciphering schemes using only the encryption function of a block cipher"
,    journal = "Information Processing Letters"
,    volume = "111"
,    number = "19"
,    pages = "945--955"
,    year = "2011"
,    issn = "0020-0190"
,    doi = "10.1016/j.ipl.2011.06.014"
,    author = "Palash Sarkar"
,    keywords = "Cryptography, Block cipher, Disk encryption, Mode of operation, Stream cipher, Tweakable enciphering scheme"
,    url = {https://ia.cr/2009/216}
}

@article{sarkar3
,    title={STES: A Stream Cipher Based Low Cost Scheme for Securing Stored Data}
,    author={Debrup Chakraborty and Cuauhtemoc Mancillas-L{\'o}pez and Palash Sarkar}
,    journal={IEEE Transactions on Computers}
,    year={2013}
,    volume={64}
,    pages={2691-2707}
,    doi = {10.1109/TC.2014.2366739}
}

@misc{sarkar4
,    author = {Debrup Chakraborty and Sebati Ghosh and Cuauhtemoc Mancillas Lopez and Palash Sarkar}
,    title = {FAST: Disk Encryption and Beyond}
,    howpublished = {Cryptology ePrint Archive, Report 2017/849}
,    year = {2017}
,    url = {https://ia.cr/2017/849}
}

@InProceedings{kdm
,    author="Black, John
and Rogaway, Phillip
and Shrimpton, Thomas"
,    editor="Nyberg, Kaisa
and Heys, Howard"
,    title="Encryption-Scheme Security in the Presence of Key-Dependent Messages"
,    booktitle="Selected Areas in Cryptography"
,    year="2003"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="62--75"
,    abstract="Encryption that is only semantically secure should not be used on messages that depend on the underlying secret key; all bets are off when, for example, one encrypts using a shared key K the value K. Here we introduce a new notion of security, KDM security, appropriate for key-dependent messages. The notion makes sense in both the publickey and shared-key settings. For the latter we show that KDM security is easily achievable within the random-oracle model. By developing and achieving stronger notions of encryption-scheme security it is hoped that protocols which are proven secure under ``formal'' models of security can, in time, be safely realized by generically instantiating their primitives."
,    isbn="978-3-540-36492-4"
,    doi="10.1007/3-540-36492-7_6"
,    url={https://cise.ufl.edu/~teshrim/kdm.pdf}
}

@inproceedings{concrete
,    author = {Bellare, Mihir and Desai, Anand and Jokipii, Eron and Rogaway, Phillip}
,    title = {A Concrete Security Treatment of Symmetric Encryption}
,    booktitle = {Proceedings of the 38th Annual Symposium on Foundations of Computer Science}
,    series = {FOCS '97}
,    year = {1997}
,    isbn = {0-8186-8197-7}
,    pages = {394--}
,    acmid = {796360}
,    publisher = {IEEE Computer Society}
,    address = {Washington, DC, USA}
,    url = {https://cseweb.ucsd.edu/~mihir/papers/sym-enc.html}
,    doi = {10.1109/SFCS.1997.646128}
}

@techreport{xts
,    author={Institute of Electrical and Electronics Engineers}
,    shortauthor={IEEE}
,    title={ANSI/IEEE 1619-2007 - IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices}
,    year={2008}
,    url={https://standards.ieee.org/findstds/standard/1619-2007.html}
}

@misc{noekeon
,    author        = {Joan Daemen and Michaël Peeters and Gilles Van Assche and Vincent Rijmen}
,    howpublished  = {Nessie submission}
,    title         = {Nessie Proposal: the block cipher {{\sc Noekeon}}}
,    url           = {http://gro.noekeon.org/}
,    year          = {2000}
}

@misc{xtea
,    author = {Roger M. Needham and David J. Wheeler}
,    title = {Tea extensions}
,    url = {http://www.cix.co.uk/~klockstone/xtea.pdf}
,    year = {1997}
}

@misc{ctr
,    author = {Helger Lipmaa and David Wagner and Phillip Rogaway}
,    title = {Comments to NIST concerning AES modes of operation: CTR-mode encryption}
,    year = {2000}
,    url = {https://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.79.1353}
}

@InProceedings{umac1
,    author="Black, John
and Halevi, Shai
and Krawczyk, Hugo
and Krovetz, Ted
and Rogaway, Phillip"
,    editor="Wiener, Michael"
,    title="UMAC: Fast and Secure Message Authentication"
,    booktitle="Advances in Cryptology --- CRYPTO' 99"
,    year="1999"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="216--233"
,    abstract="We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH. To achieve such speeds, UMAC uses a new universal hash-function family, NH, and a design which allows effective exploitation of SIMD parallelism. The ``cryptographic'' work of UMAC is done using standard primitives of the user's choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMAC-authenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for next-generation message authentication."
,    isbn="978-3-540-48405-9"
,    doi={10.1007/3-540-48405-1_14}
,    url={https://fastcrypto.org/umac/umac_proc.pdf}
}

@Book{fleurs
,   author={Charlotte de la Tour}
,   title={Le langage des fleurs}
,   year={1819}
,   publisher={Garnier Frères}
}

@techreport{rfc4418
,    author = {Ted Krovetz}
,    title = {UMAC: Message Authentication Code using Universal Hashing}
,    howpublished = {Internet Requests for Comments}
,    type = {RFC}
,    number = {4418}
,    year = {2006}
,    month = mar
,    issn = {2070-1721}
,    publisher = {RFC Editor}
,    institution = {RFC Editor}
,    url = {https://www.rfc-editor.org/rfc/rfc4418.txt}
}

@phdthesis{umac2
,    author = {Krovetz, Theodore Dennis}
,    advisor = {Rogaway, Phillip}
,    title = {Software-optimized Universal Hashing and Message Authentication}
,    year = {2000}
,    isbn = {0-599-94329-7}
,    publisher = {University of California, Davis}
,    url = {https://fastcrypto.org/umac/}
}

@techreport{xchacha
,    author = {Scott Arciszewski}
,    title = {XChaCha: eXtended-nonce ChaCha and AEAD-XChaCha20-Poly1305}
,    howpublished = {Working Draft}
,    type = {Internet-Draft}
,    number = {draft-arciszewski-xchacha-02}
,    year = {2018}
,    month = oct
,    institution = {IETF Secretariat}
,    url = {http://www.ietf.org/internet-drafts/draft-arciszewski-xchacha-02.txt}
}

@misc{aes-cache-timing
,    author={Daniel J. Bernstein}
,    title={Cache-timing attacks on AES}
,    year={2005}
,    url={https://cr.yp.to/antiforgery/cachetiming-20050414.pdf}
,    urldate = {2018-10-17}
}

@InProceedings{hco
,    author="Patarin, Jacques"
,    editor="Avanzi, Roberto Maria and Keliher, Liam and Sica, Francesco"
,    title="The ``Coefficients H'' Technique"
,    booktitle="Selected Areas in Cryptography"
,    year="2009"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="328--345"
,    abstract="The ``coefficient H technique'' is a tool introduced in 1991 and used to prove various pseudo-random properties from the distribution of the number of keys that sends cleartext on some ciphertext. It can also be used to find attacks on cryptographic designs. We can like this unify a lot of various pseudo-random results obtained by different authors. In this paper we will present this technique and we will give some examples of results obtained."
,    isbn="978-3-642-04159-4"
,    doi={10.1007/978-3-642-04159-4_21}
,    url={http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.702.3488}
}

@InProceedings{hco2
,    author="Chen, Shan and Steinberger, John"
,    editor="Nguyen, Phong Q. and Oswald, Elisabeth"
,    title="Tight Security Bounds for Key-Alternating Ciphers"
,    booktitle="Advances in Cryptology -- EUROCRYPT 2014"
,    year="2014"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="327--350"
,    abstract="A t-round key-alternating cipher (also called iterated Even-Mansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P1,..., Pt: {\{}0,1{\}}n{\thinspace}{\textrightarrow}{\thinspace}{\{}0,1{\}}nand a key k{\thinspace}={\thinspace}k0{\thinspace}â¥{\thinspace}...{\thinspace}â¥{\thinspace}kt{\thinspace}â{\thinspace}{\{}0,1{\}}n(t{\thinspace}+{\thinspace}1) by setting Ek(x){\thinspace}={\thinspace}kt{\thinspace}â{\thinspace}Pt(kt{\thinspace}â{\thinspace}1{\thinspace}â{\thinspace}Pt{\thinspace}â{\thinspace}1({\thinspace}â¯{\thinspace}k1{\thinspace}â{\thinspace}P1(k0{\thinspace}â{\thinspace}x){\thinspace}â¯{\thinspace})). The indistinguishability of Ekfrom a truly random permutation by an adversary who also has oracle access to the (public) random permutations P1, {\ldots}, Ptwas investigated in 1997 by Even and Mansour for t{\thinspace}={\thinspace}1 and for higher values of t in a series of recent papers. For t{\thinspace}={\thinspace}1, Even and Mansour proved indistinguishability security up to 2n/2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be {\$}2^{\{}{\backslash}frac{\{}t{\}}{\{}t+1{\}}n{\}}{\$}queries for general t, which matches an easy distinguishing attack (so security cannot be more). A number of partial results have been obtained supporting this conjecture, besides Even and Mansour's original result for t{\thinspace}={\thinspace}1: Bogdanov et al. proved security of {\$}2^{\{}{\backslash}frac{\{}2{\}}{\{}3{\}}n{\}}{\$}for t{\thinspace}â¥{\thinspace}2, Steinberger (2012) proved security of {\$}2^{\{}{\backslash}frac{\{}3{\}}{\{}4{\}}n{\}}{\$}for t{\thinspace}â¥{\thinspace}3, and Lampe, Patarin and Seurin (2012) proved security of {\$}2^{\{}{\backslash}frac{\{}t{\}}{\{}t+2{\}}n{\}}{\$}for all even values of t, thus ``barely'' falling short of the desired {\$}2^{\{}{\backslash}frac{\{}t{\}}{\{}t+1{\}}n{\}}{\$}."
,    isbn="978-3-642-55220-5"
,    doi = {10.1007/978-3-642-55220-5_19}
,    url = {https://ia.cr/2013/222}
}

@InProceedings{cbcsec
,    author="Bellare, Mihir
and Kilian, Joe
and Rogaway, Phillip"
,    editor="Desmedt, Yvo G."
,    title="The Security of Cipher Block Chaining"
,    booktitle="Advances in Cryptology --- CRYPTO '94"
,    year="1994"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="341--358"
,    abstract="The Cipher Block Chaining --- Message Authentication Code (CBC MAC) specifies that a message x = x1 . . . xm be authenticated among parties who share a secret key a by tagging x with a prefix of {\$}{\$}f{\_}a^{\{}(m){\}} (x){\backslash}mathop  = {\backslash}limits^{\{}def{\}} f{\_}a (f{\_}a ( {\backslash}ldots f{\_}a (f{\_}a (x{\_}1 ) {\backslash}oplus x{\_}2 ) {\backslash}oplus  {\backslash}ldots  {\backslash}oplus x{\_}{\{}m - 1{\}} ) {\backslash}oplus x{\_}m ){\$}{\$}where f is some underlying block cipher (eg. f = DES). This method is a pervasively used international and U.S. standard. We provide its first formal justification, showing the following general lemma: that cipher block chaining a pseudorandom function gives a pseudorandom function. Underlying our results is a technical lemma of independent interest, bounding the success probability of a computationally unbounded adversary in distinguishing between a random ml-bit to l-bit function and the CBC MAC of a random l-bit to l-bit function."
,    isbn="978-3-540-48658-9"
,    doi={10.1006/jcss.1999.1694}
,    url={https://cseweb.ucsd.edu/~mihir/papers/cbc.pdf}
}

@inproceedings{concsym
,    author    = {Mihir Bellare and
                 Anand Desai and
                 Eron Jokipii and
                 Phillip Rogaway}
,    title     = {A Concrete Security Treatment of Symmetric Encryption}
,    booktitle = {38th Annual Symposium on Foundations of Computer Science, {FOCS} '97
,                Miami Beach, Florida, USA, October 19-22, 1997}
,    pages     = {394--403}
,    year      = {1997}
,    crossref  = {DBLP:conf/focs/1997}
,    url       = {http://web.cs.ucdavis.edu/~rogaway/papers/sym-enc.pdf}
,    doi       = {10.1109/SFCS.1997.646128}
,    timestamp = {Fri, 19 May 2017 01:00:00 +0200}
,    biburl    = {https://dblp.org/rec/bib/conf/focs/BellareDJR97}
,    bibsource = {dblp computer science bibliography, https://dblp.org}
}

@proceedings{DBLP:conf/focs/1997
,    title     = {38th Annual Symposium on Foundations of Computer Science, {FOCS} '97
,                Miami Beach, Florida, USA, October 19-22, 1997}
,    publisher = {{IEEE} Computer Society}
,    year      = {1997}
,    url       = {http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=5208}
,    isbn      = {0-8186-8197-7}
,    timestamp = {Mon, 15 Dec 2014 18:48:44 +0100}
,    biburl    = {https://dblp.org/rec/bib/conf/focs/1997}
,    bibsource = {dblp computer science bibliography, https://dblp.org}
}

@article{eadu
,     author    = {Douglas R. Stinson}
,     title     = {On the Connections Between Universal Hashing, Combinatorial Designs
               and Error-Correcting Codes}
,     journal   = {Electronic Colloquium on Computational Complexity {(ECCC)}}
,     volume    = {2}
,     number    = {52}
,     year      = {1995}
,     url       = {http://eccc.hpi-web.de/eccc-reports/1995/TR95-052/index.html}
,     timestamp = {Tue, 14 Aug 2018 17:08:05 +0200}
,     biburl    = {https://dblp.org/rec/bib/journals/eccc/ECCC-TR95-052}
,     bibsource = {dblp computer science bibliography, https://dblp.org}
}

@article{chachamaitra
,    title = "Chosen IV cryptanalysis on reduced round ChaCha and Salsa"
,    journal = "Discrete Applied Mathematics"
,    volume = "208"
,    pages = "88 - 97"
,    year = "2016"
,    issn = "0166-218X"
,    doi = "10.1016/j.dam.2016.02.020"
,    url = "http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.732.5014"
,    author = "Subhamoy Maitra"
,    keywords = "Stream cipher, ChaCha, Salsa, Non-randomness, Probabilistic Neutral Bit (PNB), ARX cipher"
,    abstract = "Recently, ChaCha20 (the stream cipher ChaCha with 20 rounds) is in the process of being a standardized and thus it attracts serious interest in cryptanalysis. The most significant effort to analyse Salsa and ChaCha was explained by Aumasson et al. long back (FSE 2008) and further, only minor improvements could be achieved. In this paper, first we revisit the work of Aumasson et al. to provide a clearer insight of the existing attack (2248 complexity for ChaCha7, i.e., 7 rounds) and show certain improvements (complexity around 2243) by exploiting additional Probabilistic Neutral Bits. More importantly, we describe a novel idea that explores proper choice of IVs corresponding to the keys, for which the complexity can be improved further (2239). The choice of IVs corresponding to the keys is the prime observation of this work. We systematically show how a single difference propagates after one round and how the differences can be reduced with proper choices of IVs. For Salsa too (Salsa20/8, i.e., 8 rounds), we get improvement in complexity, reducing it to 2245.5 from 2247.2 reported by Aumasson et al."
}

@InProceedings{latindance
,    author="Aumasson, Jean-Philippe
and Fischer, Simon
and Khazaei, Shahram
and Meier, Willi
and Rechberger, Christian"
,    editor="Nyberg, Kaisa"
,    title="New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba"
,    booktitle="Fast Software Encryption"
,    year="2008"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="470--488"
,    abstract="The stream cipher Salsa20 was introduced by Bernstein in 2005 as a candidate in the eSTREAM project, accompanied by the reduced versions Salsa20/8 and Salsa20/12. ChaCha is a variant of Salsa20 aiming at bringing better diffusion for similar performance. Variants of Salsa20 with up to 7 rounds (instead of 20) have been broken by differential cryptanalysis, while ChaCha has not been analyzed yet. We introduce a novel method for differential cryptanalysis of Salsa20 and ChaCha, inspired by correlation attacks and related to the notion of neutral bits. This is the first application of neutral bits in stream cipher cryptanalysis. It allows us to break the 256-bit version of Salsa20/8, to bring faster attacks on the 7-round variant, and to break 6- and 7-round ChaCha. In a second part, we analyze the compression function Rumba, built as the XOR of four Salsa20 instances and returning a 512-bit output. We find collision and preimage attacks for two simplified variants, then we discuss differential attacks on the original version, and exploit a high-probability differential to reduce complexity of collision search from 2256 to 279 for 3-round Rumba. To prove the correctness of our approach we provide examples of collisions and near-collisions on simplified versions."
,    isbn="978-3-540-71039-4"
,    doi = {10.1007/978-3-540-71039-4_30}
,    url = {https://eprint.iacr.org/2007/472}
}

@inproceedings{tdcs20
,    author = {Paul Crowley}
,    title = {Truncated differential cryptanalysis of five rounds of Salsa20}
,    booktitle = {The State of the Art of Stream Ciphers}
,    year = {2006}
,    organization = {ECRYPT Network of Excellence}
,    month = feb
,    url={https://ia.cr/2005/375}
}

@InProceedings{chacha2018
,    author="Deepthi, Kakumani K. C.
and Singh, Kunwar"
,    editor="Hu, Jiankun
and Khalil, Ibrahim
and Tari, Zahir
and Wen, Sheng"
,    title="Cryptanalysis of Salsa and ChaCha: Revisited"
,    booktitle="Mobile Networks and Management"
,    year="2018"
,    publisher="Springer International Publishing"
,    address="Cham"
,    pages="324--338"
,    abstract="Stream cipher is one of the basic cryptographic primitives that provide the confidentiality of communication through insecure channel. EU ECRYPT network has organized a project for identifying new stream suitable for widespread adoption where the ciphers can provide a more security levels. Finally the result of the project has identified new stream ciphers referred as eSTREAM. Salsa20 is one of the eSTREAM cipher built on a pseudorandom function. In this paper our contribution is two phases. First phase have two parts. In WCC 2015, Maitra et al. [9] explained characterization of valid states by reversing one round of Salsa20. In first part, we have revisited the Maitra et al. [9] characterization of valid states by reversing one round of Salsa20. We found there is a mistake in one bit change in {\$}{\$}8^{\{}th{\}}{\$}{\$}and {\$}{\$}9^{\{}th{\}}{\$}{\$}word in first round will result in valid initial state. In second part, Maitra et al. [9] as mentioned that it would be an interesting combinatorial problem to characterize all such states. We have characterized nine more values which lead to valid initial states. The combinations {\$}{\$}(s{\_}4,s{\_}7){\$}{\$}, {\$}{\$}(s{\_}2,s{\_}3){\$}{\$}, {\$}{\$}(s{\_}{\{}13{\}},s{\_}{\{}14{\}}){\$}{\$}, {\$}{\$}(s{\_}1,s{\_}6){\$}{\$}, {\$}{\$}(s{\_}1,s{\_}{\{}11{\}}){\$}{\$}, {\$}{\$}(s{\_}1,s{\_}{\{}12{\}}){\$}{\$}, {\$}{\$}(s{\_}6,s{\_}{\{}11{\}}){\$}{\$}, {\$}{\$}(s{\_}6,s{\_}{\{}12{\}}){\$}{\$}and {\$}{\$}(s{\_}{\{}11{\}}, s{\_}{\{}12{\}}){\$}{\$}which characterized as valid states."
,    isbn="978-3-319-90775-8"
,    doi="10.1007/978-3-319-90775-8_26"
}

@article{Choudhuri_Maitra_2017
,    title={Significantly Improved Multi-bit Differentials for Reduced Round Salsa and ChaCha}
,    volume={2016}
,    url={https://tosc.iacr.org/index.php/ToSC/article/view/574}
,    DOI={10.13154/tosc.v2016.i2.261-287}
,    number={2}
,    journal={IACR Transactions on Symmetric Cryptology}
,    author={Choudhuri, Arka and Maitra, Subhamoy}
,    year={2017}
,    month=feb
,    pages={261-287}
}

@InProceedings{nonrandomsalsa
,    author="Fischer, Simon
and Meier, Willi
and Berbain, C{\^o}me
and Biasse, Jean-Fran{\c{c}}ois
and Robshaw, M. J. B."
,    editor="Barua, Rana
and Lange, Tanja"
,    title="Non-randomness in eSTREAM Candidates Salsa20 and TSC-4"
,    booktitle="Progress in Cryptology - INDOCRYPT 2006"
,    year="2006"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="2--16"
,    abstract="Stream cipher initialisation should ensure that the initial state or keystream is not detectably related to the key and initialisation vector. In this paper we analyse the key/IV setup of the eSTREAM Phase 2 candidates Salsa20 and TSC-4. In the case of Salsa20 we demonstrate a key recovery attack on six rounds and observe non-randomness after seven. For TSC-4, non-randomness over the full eight-round initialisation phase is detected, but would also persist for more rounds."
,    isbn="978-3-540-49769-1"
,    doi = {10.1007/11941378_2}
,    url = {http://www.lix.polytechnique.fr/~biasse/papers/INDOCRYPT2006.pdf}
}

@InProceedings{ishiguro2011
,    author="Ishiguro, Tsukasa
and Kiyomoto, Shinsaku
and Miyake, Yutaka"
,    editor="Qing, Sihan
and Susilo, Willy
and Wang, Guilin
and Liu, Dongmei"
,    title="Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha"
,    booktitle="Information and Communications Security"
,    year="2011"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="255--266"
,    abstract="In this paper, we propose new attacks on 9-round Salsa20 and 8-round ChaCha. We constructed a distinguisher of double-bit differentials to improve Aumasson's single-bit differential cryptanalysis. We searched for correlations using a PC, and found strong correlations in 9-round Salsa20 and 8-round ChaCha. The complexities of the introduced attacks are 216 in 9-round Salsa20 and 2 in 8-round ChaCha, which are much less than the complexities of an exhaustive key search and existing attacks on those ciphers. The results show that an adversary can distinguish keystream bits from random bits using a few input and output pairs of an initial keys and initial vectors. This method has potential to apply to a wide range of stream ciphers; a double-bit correlation would be found in case that no single-bit correlation is found."
,    isbn="978-3-642-25243-3"
,    doi={10.1007/978-3-642-25243-3_21}
}

@misc{ishiguro2012
,        author = {Tsukasa Ishiguro}
,        title = {Modified version of “Latin Dances Revisited: New Analytic Results of Salsa20 and ChaCha”}
,        howpublished = {Cryptology ePrint Archive, Report 2012/065}
,        year = {2012}
,        url = {https://ia.cr/2012/065}
}

@article{dey2017
,    title = "Improved analysis for reduced round Salsa and ChaCha"
,    journal = "Discrete Applied Mathematics"
,    volume = "227"
,    pages = "58 - 69"
,    year = "2017"
,    issn = "0166-218X"
,    doi = "10.1016/j.dam.2017.04.034"
,    author = "Sabyasachi Dey and Santanu Sarkar"
,    keywords = "Stream cipher, Chacha, Salsa, Probabilistic Neutral Bit"
,    abstract = "Salsa20 and ChaCha20 are two of the most promising ciphers in recent days. The most significant step in the cryptanalysis of Salsa and ChaCha is the idea of Probabilistic Neutral Bits, which was introduced by Aumasson et al. (FSE 2008). After that, no significant improvement is achieved in the procedure of choosing Probabilistic Neutral Bits. The works in this direction mostly were concerned about forward probabilities. In this paper, we give a new algorithm to construct Probabilistic Neutral Bits. We use this algorithm to improve the existing attacks for reduced rounds of both Salsa and ChaCha. Our attacks on Salsa and Chacha are respectively around 2.27 and 5.39 times faster than the existing works of Choudhuri and Maitra (accepted in FSE 2017)."
}

@InProceedings{zhenqing2012
,    author="Shi, Zhenqing
and Zhang, Bin
and Feng, Dengguo
and Wu, Wenling"
,    editor="Kwon, Taekyoung
and Lee, Mun-Kyu
and Kwon, Daesung"
,    title="Improved Key Recovery Attacks on Reduced-Round Salsa20 and ChaCha"
,    booktitle="Information Security and Cryptology -- ICISC 2012"
,    year="2013"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="337--351"
,    abstract="Salsa20 is a stream cipher designed by Bernstein in 2005 and Salsa20/12 has been selected into the final portfolio of the eSTREAM Project. ChaCha is a variant of Salsa20 with faster diffusion for similar performance. The previous best results on Salsa20 and ChaCha proposed by Aumasson et al. exploits the differential properties combined with the probabilistic neutral bits (PNB). In this paper, we extend their approach by considering a new type of distinguishers, named (column and row) chaining distinguishers. Besides, we exhibit new high probability second-order differential trails not covered by the previous methods, generalize the notion of PNB to probabilistic neutral vectors (PNV) and show that the set of PNV is no smaller than that of PNB. Based on these findings, we present improved key recovery attacks on reduced-round Salsa20 and ChaCha. Both time and data complexities of our attacks are smaller than those of the best former results."
,    isbn="978-3-642-37682-5"
,    doi = {10.1007/978-3-642-37682-5_24}
}

@misc{maitra2015
,    author = {Subhamoy Maitra and Goutam Paul and Willi Meier}
,    title = {Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles}
,    howpublished = {Cryptology ePrint Archive, Report 2015/217}
,    year = {2015}
,    url = {https://ia.cr/2015/217}
}

@inproceedings{tsunoo
,    author = {Yukiyasu Tsunoo and Teruo Saito and Hiroyasu Kubo and Tomoyasu Suzaki and Hiroki Nakashima}
,    title = {Truncated differential cryptanalysis of five rounds of Salsa20}
,    booktitle = {The State of the Art of Stream Ciphers}
,    year = {2007}
,    organization = {ECRYPT Network of Excellence}
,    month = feb
,    url={http://www.ecrypt.eu.org/stream/papersdir/2007/010.pdf}
}

@misc{choudhuri2016
,    author = {Arka Rai Choudhuri and Subhamoy Maitra}
,    title = {Differential Cryptanalysis of Salsa and ChaCha -- An Evaluation with a Hybrid Model}
,    howpublished = {Cryptology ePrint Archive, Report 2016/377}
,    year = {2016}
,    url = {https://ia.cr/2016/377}
}

@unpublished{bd99
,    author = {Daniel Bleichenbacher and Anand Desai}
,    title = {A construction of a super-pseudorandom cipher}
,    note = {Manuscript}
,    year = {1999}
,    month = feb
}

@InProceedings{hse
,    author="Minematsu, Kazuhiko
and Matsushima, Toshiyasu"
,    editor="Srinathan, K.
and Rangan, C. Pandu
and Yung, Moti"
,    title="Tweakable Enciphering Schemes from Hash-Sum-Expansion"
,    booktitle="Progress in Cryptology -- INDOCRYPT 2007"
,    year="2007"
,    publisher="Springer Berlin Heidelberg"
,    address="Berlin, Heidelberg"
,    pages="252--267"
,    abstract="We study a tweakable blockcipher for arbitrarily long message (also called a tweakable enciphering scheme) that consists of a universal hash function and an expansion, a keyed function with short input and long output. Such schemes, called HCTR and HCH, have been recently proposed. They used (a variant of) the counter mode of a blockcipher for the expansion. We provide a security proof of a structure that underlies HCTR and HCH. We prove that the expansion can be instantiated with any function secure against Known-plaintext attacks (KPAs), which is called a weak pseudorandom function (WPRF). As an application of our proof, we provide efficient blockcipher-based schemes comparable to HCH and HCTR. For the double-block-length case, our result is an interesting extension of previous attempts to build a double-block-length cryptographic permutation using WPRF."
,    isbn="978-3-540-77026-8"
,    doi={10.1007/978-3-540-77026-8_19}
}

@mastersthesis{kumarhctr
,    author={Manish Kumar}
,    title={Security of XCB and HCTR}
,    institution={Indian Statistical Institute}
,    year={2018}
,    month = jul
,    url={http://library.isical.ac.in:8080/jspui/bitstream/123456789/6953/1/Diss-387.pdf}
}
